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Agenda 
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• Why Embedded Security Matters 

• (Theoretical) Example System 

• Timing Analysis 

• Power and EM Analysis 

• Encryption and Key Management 
1 • Software Update Security 

1 • Glitch Attacks 

1 • Summary and Best Practice 
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Embedded Security Matters 


^^^^^^^^^^B 
^^^^^^^^^^^H 


• Processors are everywhere 

— Often used to secure your information 

• Form the foundation of business cases 

- Payment, games, mobile phones, TV/video 

1 - Required to maintain essential assets 
1 • Crypto keys, passwords, firmware/code 

| • Drive economies (see above!) 

1 - Phones, consoles, pay TV HW; sold at loss 

B • Profits come from content and lock-in 

1 - Let's talk economics for a second © 
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Embedded Security Matters 
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• Systems development cost increasing 

- More people, more equipment, more 
complexity, more requirements 

- How much does a dev resource cost you? 

i • Hackers have the economic advantage 
1 -Costs more to build than to break 
1 -Time onmarket » timetomarket 
1 - Attacks only ever get cheaper / easier 
1 - Financial gain often not the motivation 
1 - Hackers share info, businesses do not 
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Embedded Security Matters 
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• Usually safe to assume hackers are: 

- Better equipped More resourceful 

- More knowledgeable 

- With greater motivation and resources 

1 • Time to give up? 

No! 

1 • Time to invest in security design 

1 - 1 st step: Understanding the vulnerabilities 

B • We've got an example system to hack © 
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(Theoretical) Example System 
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• GPG Embedded Encryption Key ('GEEK') 

- HW token with support for TDES, AES, RSA 

- 256k flash for code storage, 8GB flash for 
document storage (both AES encrypted) 

i • Verifies your GPG password/passphrase 

1 - Keys stored and operated on device 

| • Firmware can be updated in the field 

1 - Secure system uses HMACs for auth 

■ • Marketed to industry and governments 
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Timing Analysis 

Timing of RSA modulo exp operations 

- RSA most often uses 'square and multiply' 

- Processing of a 'V bit in the key requires 
more steps than processing a '0' bit 

• Therefore takes longer 

• 'Final reduction' step will also leak information 

Password / (H)MAC verification 

- Data dependant timing for compare 

• Allows for 'walking' through correct values 

• Correct guesses take longer to return than 



incorrect guesses 
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Timing Analysis - Eg 

Access password and HMAC 

- Compared using standard memcmp() 

- Work through all values of first byte 

• Time to error > when first byte correct 

- Once known, repeat for other bytes 

• 8 byte password in 256 x 8 rather than 256 A 8 
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[ Timing Analysis - 
' Close the Door! 

• Blinding of RSA operations 

- Changes the actual values processed 

• Therefore information gained through timing is 
not correlated to the data / key 

• Data independent compare operations 

- Ensure run time is same for all inputs 

I - Best implementation can depend on your 

1 processor / compiler ... but try; 

1 • XOR or bytewise compare across all bytes 

ft • AND / OR results together to form return value 

ft AND TEST IT 111 
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Power and EM Analysis 
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• Every transistor is doing you damage ... 

- Embedded devices = lots of transistors 

- Draw more current when switching states 

• Transmitting data, performing computations 

I - Processing is deterministic & repeatable 

- Each device & operation has a unique 
| power/ EM 'signature' 

1 • Different when any processed bits are different 
1 • Encryption processing depends on data & key 

ft - Therefore, emissions leak secret info! 
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Power and EM Analysis 

Selection function is vital 

- Method to differentiate captures based on 
a finite number of possible secret values 

• Eg Value of 1 bit based on part of key 

- Work through all possible secret values 

• Apply statistic analysis to the datasets 

- Eg separate into captures where bit=l or bit=0 

• Incorrect assumptions = no correlation 

• Correct assumptions = correlation 

- Decreased noise, increased signal 

- Selection fns exist for AES,DES,RSA,ECC, ... 
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Power and EM Analysis - Eg 




AESSubkey = Oxll 

GEEK AES power analysis -!0&aHip|btes 
Depends on accurate timing alignment 

- Frequency domain or Integration analysis 
can compensate for poor alignment 

- Still have to know roughly where crypto is 
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[ Power and EM Analysis - 
' Close the Door! 

• Random delays or round structure 

— Frequency / windowed analysis may work 

• Blinding or masking 

- Requires higher order analysis 

1 • Time / function limits on crypto 

1 - Depends on level of side channel leakage 

1 • Design to minimise use of secret data 
1 - Unique key per operation 
1 - Key management! ! 
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Encryption & Key Management 
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• Epic fail for many systems 

- Use bad (non-standard) crypto algorithms 

- Use good (standard) algorithms badly 

- Good design, poor management 

| -One key to rule them all! 
I (and in the darkness bind them) 

| • The algorithms are the easy part 

1 - RSA, ECC, TDES, AES, Serpent 

1 - Don't think proprietary / secret is better! 
B • The ksyis the secret! 
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Encryption - Eg 

GPG password in external flash memory 

- Encrypted with AES ECB 

- Location of password can be determined 

- Lots of other blocks have same value 

Probably 0x00 or OxFF before encryption (depends) 
Swap with password location -> password now known! 

0x696275c0eb3d6e6b8ceabaea4e279589 



0xl9537682cf c5f 228881c91712d0ac051 



0x0da873169c2ee2d80a706eabeab638da 



0x0da873169c2ee2d80a706eabeab638da 




0x0da873169c2ee2d80a706eabeab638da 
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Encryption - Eg 

Encryption key 'hidden' in flash (2BB$B) 

- Cannot be visually / statistically 
differentiated from encrypted memory 

- Location is random for each device 

Key location can be easily brute-forced 

- 8 x 1024 x 1024 x 1024 = 8,589,934,592 

- Run through all possible 32 byte key values 

• Decrypt known plaintext (eg unused flash) 

- lus per AES operation = all keys tried in 
~ 8590 seconds (less than 2 Vi hours) 



Slide No. 16 



Witham Laboratories 

Building Confidence in Payment Systems 













Encryption - Close the Door! 
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• Use your algorithms wisely 

— Approved modes of operation (ISO, NIST) 

- Industry standard padding (PKCS) 

• Understand limitations to the 

i algorithm / mode of operation 
1 - Encryption * authentication (usually) 
1 - Beware dictionary / frequency analysis 
1 - Beware transposition of encrypted data 

ft • Understand your need for encryption 
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Encryption - Close the Door! 
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• Use suitable mode of operation 

— Beware ECB or stream cipher modes 
(where contents change / may be known) 

• Unique key per device, and per use 

i — Don't use memory encryption key for 
encrypting system secrets 

| • Beware cryptographic errors 

1 - May indicate an attack (see glitching!) 

1 • Protect key storage 

1 - Obfuscation at a minimum w . h , h 

H Witham Laboratories 

^k Slide No. 1 8 Building Confidence in Payment Systems 








Glitching 



Every transistor is doing you damage ... 

— Each instruction switches many transistors 

• Usually all synchronised with a 'clock' 

— No two transistors are the same 

• Different locations, tolerances, I/O factors 

- A glitch forces some transistors to 
(not)operate when they shouldn't 

- Can be applied many different ways 

• Power, clock signal, EM, light 

• Changes operation of only a few transistors 
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Glitching - Eg 



HMAC fails, system sits in tight loop 

- Code executed on 'good' HMAC follows the 
machine code for the loop 

I f ( HMACi sOK(i mage)) ! =1 

{ wh i I e ( 1 ) } ; 
Execut eNewl y Do wn I oadedCode 

Glitch the clock, power, EM 

- Some transistors don't work properly 

- Jump in test/while fails, or PC increments 

- Hello 'ExecuteNewlyDownloadedCodeO' ! 
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Glitching - Close the Door! 
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• Check for function entry before exit 

• Confirm crypto OK before output 

- Eg perform twice, or encrypt then decrypt 

• Use watchdog(s) 

1 - Beware frequent watchdog activation 

I • Remember glitching produces 
1 Impossible' processor operations! 
1 -Code for errors which cannot happen 
1 - Beware compiler optimisation 
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Software Updates 
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• Most systems will accept SW updates 
- Remote and/or local, part replacement 

• Avoid common authentication secrets 

• Remember encryption * authentication 
I • Be aware of local interfaces 

I - JTAG, ICE, ROM bootloader 

1 - Disabled by SW, but maybe re-enabled ... 

1 • Ensure what you authenticate is what 
B you execute! 
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Software Updates - Eg 
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• Software written to flash before auth 

- Code only executed if auth passes 

• Unauth'd code stays in flash 

• Execute through glitch, code exploit 

■ • Software auth'd with RSA signature 

- Bug in ASN.l parsing allows stack overflow 

I - Expected as ASCII, uses strcmpQ rather 
1 than memcmpQ, terminates at nulls 

1 • System wide symmetric key for auth 
1 - Key exposed on one device ... 
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[ Software Updates - Close the 
' Door! 

• Authenticate what you want to execute 

• Execute what you authenticate 

- What prevents changes after auth? 

• Beware parsing functions 

1 - Do you authenticate before or after? 

1 - What are the impacts of both options? 

1 • Does the parse change /remove any data? 

1 • Can the parse be exploited /compromised? 
B - Overflow / null exit / assumed data positions, etc 

M m Avoid system wide secrets 
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Theoretical Example Summary 
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• Many different vulnerabilities 

- External flash exploitable even with AES 

- Password checking could be bypassed 

- Keys exposed through side channels 
1 - Software update function insecure 

| • Is that important? Depends ... 

1 — Home user * industry * government 

1 • Still more secure than encrypting on a PC 

ft • What are your threat profile / compliance reqs? 

!• What's the fix: Patch? Product recall? 
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Summary 
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• Understand your risk and threat profile 

- Depends on the market and product 

• Build testing into your time/cost budget 

- Greater threat -> greater dev time/cost 

1 - Ensure product meets the security specs 

I • No implementation is perfect 
1 — Plan for if wrteenabilifeiiasbailtifei^Giaiinel found 
1 • Remember product life-cycle security 
ft - Key management, code signing, etc 
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Questions? 




For further information please contact 

Andrew Jamieson 

Technical Manager 

Witham Laboratories 

Email: andrew.iamieson@withamlabs.com 

Phone: +61 3 9846 2751 
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